cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Password Protect all .cfm files in a directory?

seasonedweb
Participant ,
Jun 12, 2014 Jun 12, 2014

Copy link to clipboard

Copied

Greetings

Can anyone share the code one one put within the application.cfm to password-protect all the files in that directory?

The UN & PW are stored in a DB - of course I could create a session_ID and protect each page individually, which I have been doing for years, but in this case, the pages are being loaded using a half-*ss CMS and the users, other than saving files as .cfm, will not be responsible to leave the code on each page.

In the DB, the user name is subscriber_email, the password is subscriber_password.

Thanks for any help.

TOPICS
Advanced techniques

Views

989

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 10 Replies 10
latest latest Jump to latest reply
BKBK Community Expert
Community Expert ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

It is unclear what you wish to password-protect against. Accessing the directory? Writing a file into it? Opening a file in it? Requesting a CFM file in it by means of the browser?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
seasonedweb
Participant ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

In Response To BKBK

Thank you for your reply.

The administrator will be uploading files to the directory via FTP. His access is controlled at that point.

Users need to sign up via a form and pay a fee. Once they are approved, they should be able to access all the CFM files in that directory via their browser.

Again, I have accomplished this for years by simply creating a session ID, and,  at successful login protected every page individually:

<CFIF NOT IsDefined("Session.user_id")>

<cflocation url="login.cfm" addtoken="No">

<cfelse>

webpage

</cfelse>

but never had admins in control of uploading web pages that are unfortunately poorly coded and could never be responsible to add the above code to each page.

What is your advice?

Thanks again

Norman

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

In Response To seasonedweb

You have to add the above code to just one page, namely, Application.cfm. In other words, your approach remains valid.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
seasonedweb
Participant ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

In Response To BKBK

SO then this would be within application.cfm:

<CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

        SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

        FROM     main

        WHERE     subscriber_email = '#Trim(form.subscriber_email)#'

        AND        subscriber_password = '#Trim(form.subscriber_password)#'

    </CFQUERY>

   

<!--- If user not found send back to login page. --->

<CFIF auth_admin.RecordCount EQ 0>

<cflocation url="login.cfm?msg=1" addtoken="No">

<cfabort>

<cfelse>

<!--- Set session vars --->

<cflock scope="SESSION" type="EXCLUSIVE" timeout="3">

<cfset session.user_id = "#auth_admin.subscriber_ID#">

<cfset session.fname    = "#auth_admin.subscriber_fname#">

<cfset session.logged = true>

</cflock>

<cflocation url="index.cfm" addtoken="No">

</cfif>

and this would protect all cfm pages in the directory?

It seems as if it would not be necessary to create  a session.user_id?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Jun 16, 2014 Jun 16, 2014

Copy link to clipboard

Copied

In Response To seasonedweb

Yes, you could do it without sessions. For example, use the cflogin framework in Application.cfm. You should set, beforehand, loginStorage="session" in the cfapplication tag.

<cflogin>

    <cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")><!--- User unauthenticated and not coming from login.cfm --->

        <cfinclude template="login.cfm?msg=1">

        <cfabort>

    <cfelseif isDefined("form.subscriber_email")>

    <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

            SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

            FROM     main

            WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

            AND        subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

    </CFQUERY>

    <cfif auth_admin.recordcount gt 0>

        <cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser" >

    <cfelse>

        <cfinclude template="login.cfm?msg=1">

        <cfabort>

    </cfif>       

    </cfif>

</cflogin>

Instead of a session variable, the test variable then becomes getAuthUser(). If the user is unauthenticated, getAuthUser() will be an empty string. Also, Coldfusion will only run the cflogin tag if the user is unauthenticated. The cfloginuser tag logs the user in. Once that happens, getAuthUser() assumes the value #auth_admin.subscriber_email#.

Some caveats. You will see that I am using cfinclude instead of cflocation. Using cflocation in Application.cfm can be problematic. Since the Application file is included at the beginning of every request, using cflocation in it might result in a request repeating indefinitely.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
seasonedweb
Participant ,
Jun 17, 2014 Jun 17, 2014

Copy link to clipboard

Copied

In Response To BKBK

Hello

What is happening now is regardless if the username and password are correct, it sends to user back the the login page (there is no application.cfm file in the top directory, nor would this matter because the login form is an html file).)

This is how I set up the application.cfm:

<cfapplication name="xxxx"

    clientmanagement="Yes"

    loginStorage="session"

    sessionmanagement="Yes"

    sessiontimeout="#CreateTimeSpan(0,0,20,0)#"

    SetClientCookies="Yes">

   

<cfparam name="Request.BaseDSN" default="xxxx">

<cflogin>

<cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")>

   

<!--- User unauthenticated and not coming from login.html --->

   

<!--- send user back to an html login page in the top directory with no application.cfm file --->

<cfinclude template="../login.html">

<cfabort>

       

<!---  User authenticated   --->

    <cfelseif isDefined("form.subscriber_email")>

    <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

            SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

            FROM     main

            WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

            AND        subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

    </CFQUERY>

<cfif auth_admin.recordcount gt 0>

<cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser">

       

<!--- Authenticated User can now browse .cfm files in this subdirectory  --->   

       

<cfinclude template="index.cfm">

<cfelse>

<!--- ???? did we do this already ??? --->   

<cfinclude template="../login.html">

<cfabort>

</cfif>      

</cfif>

</cflogin>

<cfcontent type="text/html; charset=utf-8">

<cfscript>

SetEncoding("form","utf-8");

SetEncoding("url","utf-8");

</cfscript>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Jun 18, 2014 Jun 18, 2014

Copy link to clipboard

Copied

In Response To seasonedweb

You might later need to add CFML code to the login page to extend its functionality. So, to start with, you should rename the login page to login.cfm. Otherwise, it is not a ColdFusion page. You may rename it from HTML to CFM without changing its content.

On to the main business. If you continue to see the login page, then Coldfusion must be running the cflogin tag. It implies that the user is not yet logged in, which in turn implies that the cfloginuser tag has yet to run. This suggests the query's recordcount is 0.

To test this hypothesis, temporarily delete the query's where-clause. What happens then?

There is another point. The cflogin framework is strictly for authentication. I would therefore put the following code elsewhere:

<!--- Authenticated User can now browse .cfm files in this subdirectory  --->          

<cfinclude template="index.cfm">

In fact, so long as the user is logged in, Coldfusion wont run the tag cflogin. The page index.cfm will therefore not be included. That is actually the opposite of what you want.

One solution is to place the following code at a suitable location after the cflogin end-tag:

<cfif getAuthUser() is not "">

<!--- Authenticated User can now browse .cfm files in this subdirectory  --->         

<cfinclude template="index.cfm">

</cfif>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
seasonedweb
Participant ,
Jun 19, 2014 Jun 19, 2014

Copy link to clipboard

Copied

In Response To BKBK

BKBK: Hello again

I was under the impression that this method of protecting everything in the directory from being accessed unless the username and password were correct would also apply to the login.cfm page itself if the file resided in the same directory. That's why I kept it as an HTML file.

So I put the login form page back in the directory as login.cfm with application.cfm and this is the code:

<cfapplication name="xxxx"

    clientmanagement="Yes"

    loginStorage="session"

    sessionmanagement="Yes"

    sessiontimeout="#CreateTimeSpan(0,0,20,0)#"

    SetClientCookies="Yes">

   

    <cfparam name="Request.BaseDSN" default="xxxx">

<cflogin>

<cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")>

   

<!--- User unauthenticated and not coming from login.cfm --->

   

<!--- send user back to login page --->

<cfinclude template="login.cfm">

<cfabort>

       

<cfelseif isDefined("form.subscriber_email")>

<CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

            SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

            FROM     main

            WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

            AND       subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

    </CFQUERY>

<cfif auth_admin.recordcount gt 0>

<!--- User authenticated   --->

<cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser">

       

<cfif getAuthUser() is not "">

<!--- Authenticated User can now browse .cfm files in this sub-directory  --->         

<cfinclude template="index.cfm">

</cfif>

</cfif>      

</cfif>

</cflogin>

This does not work- it simply sends me back to the login page regardless.

BTW the form is set: <form action="index.cfm" method="POST">

Thanks for your continued help with this.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Jun 19, 2014 Jun 19, 2014

Copy link to clipboard

Copied

In Response To seasonedweb

You apparently misunderstood my suggestion to place the last cfinclude code outside the cflogin tag. In any case, it doesn't matter now, given the current information. Since index.cfm is the action page of the login form, it should not be cf-included. If login is successful, the form will post to index.cfm anyway, which is effectively a new request.

<cflogin>

     <cfif getAuthUser() is "" and NOT isDefined("form.subscriber_email")>

          <!--- User unauthenticated and not coming from login.cfm --->

          <!--- send user back to login page --->

          <cfinclude template="login.cfm">

          <cfabort>    

     <cfelseif isDefined("form.subscriber_email")>

          <CFQUERY name="auth_admin" datasource="#Request.BaseDSN#">

                 SELECT     subscriber_ID, subscriber_fname, subscriber_email, subscriber_password

                 FROM     main

                 WHERE     subscriber_email = <cfqueryparam value='#Trim(form.subscriber_email)#' CFSQLTYPE='CF_SQL_VARCHAR'>

                 AND       subscriber_password = <cfqueryparam value='#Trim(form.subscriber_password)#' CFSQLTYPE='CF_SQL_VARCHAR'>

         </CFQUERY>

          <cfif auth_admin.recordcount gt 0>

               <!--- User authenticated   --->

               <cfloginuser name = "#auth_admin.subscriber_email#" password = "#auth_admin.subscriber_password#" roles = "admin,poweruser">

          </cfif>

     </cfif>   

</cflogin>

Now, ensure that there is a text field named subscriber_email in the form. Verify spelling! Also verify that the values of the (subscriber_email, subscriber_password) pair that you use in testing actually exist in the database table.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Jun 25, 2014 Jun 25, 2014

Copy link to clipboard

Copied

LATEST
In Response To seasonedweb

Oh, and there is also the logout page, to log the logged-in user out. You could include a condition in the application file to place a logout link on every page. For example,

<cfif getUserAuth() is not "">

<a href="logout.cfm" title="Log out">Log out</a>

</cfif>

The content of logout.cfm is:

<cflogout>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices